Having the Right Conversation about Online Banking Security

Sometimes the most interesting conversations are about something you never really expected to discuss, but I digress.

No, seriously: You sometimes get sidetracked on a topic that becomes so fascinating that your meeting is almost over before you get back to what you really wanted to talk about. Take for instance a conversation I had recently with Julian Lovelock of ActivIdentity. There are lots of things I as an analyst wanted to know about their recent acquisition by HID, who are at home in the “old” world of physical access management and who obviously wanted to buy into the “new” world of logical access control. ActivIdentiy makes most of its money selling often highly customized authentication solutions to businesses, but they derive a large chunk of their income (about 20 percent) from what they call “commercial business”, which essentially means online banking.

Now, conventional thinking says that European and especially German banks are light-years ahead of the rather archaic US banking system in terms of offering customers online access to their accounts and portfolios, as well as in many other respects (nobody in Europe has used a check in at least a decade!).

ActivIdentity, Julian says, has customers in the financial industry on both sides of the Atlantic, so they know what the differences are. In a nutshell, he says, European banks are more concerned with security, while American banks worry about the customer experience. Anything that would make it hard for US consumers to understand what to do next is more or less automatically a no-starter, and if that means there is a bigger danger of the customer’s account being hacked, then so be it. If necessary the bank will simple reimburse the customer without too many questions asked and swallow the damage. Better, anyway, than watching him switch to another bank.

This may change faster than many think. According to rumor, the FFIEC, a watchdog institution which is charged by the Fed with prescribing “uniform principles, standards, and report forms for the federal examination of financial institutions”, is worried about the explosive growth of bank phishing, session hijacking and financial malware such as the ZeuS Trojan and Spyeye, so they are getting ready to issue a set of guidelines that will substantially tighten oversight of online banking systems and force banks to invest heavily in new ways to protect customers from online villainy. For instance, the FFIEC is apparently going to finally provide a real-world definition of the term “reasonable security” which banks are taxed to provide whenever a customer accesses his account from a computer or, as is increasingly the case, from a smartphone.

In Europe, banks have traditionally relied on session-based authentication. In Germany, typically, clients are issued so-called “TANs” (Transaction Numbers) which are essentially one-time passwords. These used to be issued as lists on paper which you received in the mail. Every time you used one, you had to strike it through so you didn’t inadvertently try to use it again. This system has now largely been replaced by so-called “SIM TANs” which are sent as a text message to the clients mobile phone.

Of course, since smartphones are actually small but powerful computers, many people now use them to do their home banking, so sending the security token to the same device violates the principle of “out-of-band” authentication so dear to the hearts of most security people who work for banks.

You can argue that doesn’t matter because my smartphone is already protected by a password in addition to the normal username/password combination the bank requires to access my account. Add the TAN, and you have what I guess could be called three- or even four-factor authentication, which ain’t that bad. But banks in the US, at least, are going further and introducing dedicated smartphone apps that are tied to the customers phone via a software credential.

Julian makes a concvincing case for a hardware-based system using a Micro-SD card, probably because that is something his company does very well for some government agencies, but he admits the concept probably won’t fly in the consumer market because it’s unwieldy and impacts the user experience (see above): You usually need to remove your phone’s battery and fiddle around with a tiny chip card that is about the size of a contact lens, and just as slippery.

In our talk, Julian proposed a completely different approach which he calls “customer managed security”. In that kind of world, the customer would have a choice of options, some of them very secure, some of them less so. It would be up to him or her to arrive at the desired tradeoff between security and ease of use. If you chose a simple system such as TAN, then maybe the bank will restrict the amount you can transfer during an individual session, or it will prohibit you from sending money to someone you have never done business with before. If, on the other hand, you opt for the full Monty (let’s say: transaction verification via text message), then you can do anything you like.

He foresees things like allowing customers to create different profiles for different situations, like “in the office”, “at home” or “on the road”, each with different security settings and requiring different levels of authentication and entitlement.

I must have frowned a bit when he said this, because he became very eager to convince me that consumers will actually accept something like this.

First, he argues, they are all on Facebook, so they have become used to the concept of different levels of access and hence authentication. You don’t want grandma to see those pictures of you puking at the party last weekend. Users, he believes, are becoming increasingly comfortable with the idea of managing their own profiles, so why not let them do the same as bank customers?

Secondly, the technology is here which can offer customers a much more fine-tuned list of options than ever before, especially on mobile phones. Witness ActivIdentity’s own (yet officially unannounced) plans to bring smart cards to phones, essentially converging physical and logical security (which is why HID bought them in the first place, after all; expect to see a viable product offering sometime in the next 12 to 18 months).

Thirdly, Julian feels that American bank customers in particular have become much more sensitized to issues such as online security and identity theft than before. “Everybody knows somebody who knows somebody whose bank account has been compromised he says. Not only in America, as my wife here in Munich can tell you. She caught a very clever Trojan a few years back that cleaned out her account and tried to send the money to the Ukraine; we caught up with it in time, but that was pure, dumb luck!

I’m not all that sure user-managed security will fly, but maybe that’s because I’m skeptical by nature. What I do feel will happen, and what is already starting to take off in some places, is a shift from session-based to transaction-based authentication. This will put the onus on the Europeans and most especially on the German bankers who I feel are a tad too complacent. In my opinion it is only a matter of time before some court of law rules in favor of a bank client who has been ripped off online, stating that it is the bank’s responsibility to protect the account holder, as the FFIEC will probably mandate in the US when their new guidelines come out this summer.

By then, we may see a totally different conversation going on between bankers and security experts. And that isn’t neccessarily a bad thing, either.